[debian-mysql] Bug#775882: Bug#775882: mariadb-10.0: affected by CVEs of the Oracle Patch Update for January 2015?
Salvatore Bonaccorso
carnil at debian.org
Tue Jan 27 06:09:33 UTC 2015
Hi Otto,
On Mon, Jan 26, 2015 at 09:03:28PM +0200, Otto Kekäläinen wrote:
> The page https://mariadb.com/kb/en/security/ has updated and includes
> info about these latest CVEs.
>
> It seems most issues were fixed in 5.5.41/10.0.16.
> One was for 5.5.39/10.0.13.
>
> 10.0.16 hasn't been yet released, but I'll expect it is released soon
> and I will try to be as fast as possible in updating the package in
> Debian once the .16 release is out.
>
> CVE-2015-0385 and CVE-2015-0409 are not listed in the MariaDB security
> list. I've sent email asking about their status and I'll track the
> results in this bug report.
>
> Here is some background info about the CVE status by a MariaDB core
> developer: https://lists.launchpad.net/maria-discuss/msg02153.html
Thanks for the update and checking with upstream regarding the two
other CVEs. 10.0.16 seems now avaiable[1] (even though not yet
announced on the webpage itself).
[1] https://downloads.mariadb.com/files/MariaDB/mariadb-10.0.16/source
Regards,
Salvatore
p.s.: FYI, if you want to reach also the submitter of a bug adding it
to Cc is needed, since nnnn at bugs.debian.org does not reach the
original submitter, see https://www.debian.org/Bugs/Developer#followup
More information about the pkg-mysql-maint
mailing list